topos.functors.probes.cpg.danger¶
Dangerous-API reachability probe (CPG → ℝ).
Counts call-site nodes whose callee text matches the per-language registry of dangerous APIs. The match is intentionally textual: the UAST mappers do not carry token text, so we slice the original source by the CPG node’s byte span and pattern-match the result.
- topos.functors.probes.cpg.danger.effective_registry(language, allow)[source]
Dangerous-API registry for language minus any allowlisted patterns.
A registry entry is dropped when it matches an allowlist pattern under the same suffix-aware rules used for callee matching.
allow=None(or empty) returns the full registry unchanged — the canonical default.
- topos.functors.probes.cpg.danger.dangerous_api_reachable(cpg, allow=None)[source]
Count CallExpr nodes whose callee text matches the dangerous-API registry for
cpg.language. Matches both bare names (eval) and dotted/qualified names (pickle.loads).When allow is given, allowlisted patterns are excluded from the registry first. The default
allow=Nonepreserves the canonical behavior used byCodePropertyGraph.metrics().